KUNAK TECHNOLOGIES S.L.
Introduction
At KUNAK TECHNOLOGIES S.L., we design and operate environmental monitoring and IoT solutions that process critical data for our customers. Trust in our services is based on ensuring that information is always available, accurate, and properly protected against unauthorized access.
Through this Information Security Policy, Management expresses its commitment to protecting information and complying with all applicable legal and contractual requirements, integrating security into all of the organization’s processes and services.
1. Purpose and scope
This Policy aims to establish the general principles and guidelines for managing information security at KUNAK TECHNOLOGIES S.L.
Its scope includes:
- All information systems, infrastructures and services managed by KUNAK TECHNOLOGIES S.L., both internal and in the cloud.
- All own personnel and third parties that have access to such systems or to information managed by the organization.
Compliance with this Policy is mandatory for all persons and entities included in its scope.
2. Reference framework
Information security management at KUNAK TECHNOLOGIES S.L. is aligned with the Spanish National Security Framework (ENS) and with the ISO/IEC 27001 standard for information security management systems, currently in the certification process.
Likewise, it complies with the applicable data protection legislation, including Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 (LOPDGDD), on the basis of which the organization’s internal procedures and controls are developed.
3. Security principles
KUNAK TECHNOLOGIES S.L. commits to protecting information under the following principles:
- Confidentiality: information shall only be accessible to authorized persons, systems or entities.
- Integrity: information shall be accurate and complete, preventing unauthorized modifications or uncontrolled errors.
- Availability: systems and services shall be operational when needed, with the continuity and resilience levels defined.
- Authenticity: the identity of the parties involved and the origin of the data exchanged shall be guaranteed.
- Traceability: relevant actions shall be recorded so that they can be analyzed and audited.
4. Organization and responsibilities
The Management of KUNAK TECHNOLOGIES S.L. assumes the ultimate responsibility for information security and approves this Policy.
The organization has an Information Security Committee, made up of the service, information, security and system managers, which has among its functions:
Service Manager
- Establish the service security requirements, including interoperability, accessibility and availability requirements.
- Determine the security levels of the services.
- Formally approve the security level of the service.
Information Manager
- Ensure the proper use of the information and, therefore, its protection.
- Be ultimately responsible for any error or negligence that leads to an incident of confidentiality or integrity.
- Establish the security requirements of the information.
- Determine the security levels of the information.
- Formally approve the security level of the information.
Security Manager
- Maintain the appropriate level of security of the information handled and of the services provided by the systems.
- Carry out or promote the periodic audits required by the ENS to verify compliance with its requirements.
- Manage training and awareness in ICT security.
- Verify that the existing security measures are appropriate to the entity’s needs.
- Review, complete and approve all documentation related to system security.
- Monitor the security status of the system provided by the security event management tools and audit mechanisms implemented in the system.
- Support and supervise the investigation of security incidents from their notification until their resolution, issuing periodic reports on the most relevant ones to the Committee.
System Manager
- Manage the Information System throughout its entire lifecycle, from specification and installation to monitoring of its operation.
- Define the criteria for use and the services available in the System.
- Define user access policies to the System.
- Approve the changes affecting the security of the operating mode of the System.
- Determine the authorized configuration of hardware and software to be used in the System and approve significant modifications to such configuration.
- Perform the analysis and risk management of the System.
- Prepare and approve the security documentation of the System.
- Determine the category of the system according to the procedure described in Annex I of the ENS and determine the security measures to be applied as described in Annex II of the ENS.
- Implement and control the specific security measures of the System.
- Establish contingency and emergency plans, carrying out frequent exercises so that staff become familiar with them.
- Suspension of the handling of certain information or the provision of a certain service if it detects serious security deficiencies that could affect compliance with the established requirements.
All personnel, as well as collaborating companies working with KUNAK TECHNOLOGIES S.L., must know and comply with this Policy and the internal regulations that develop it.
5. Risk management and compliance
KUNAK TECHNOLOGIES S.L. carries out risk analyses and management of its information systems, reviewing them periodically and whenever significant changes, new threats or relevant incidents occur.
The organization undertakes to:
- Implement technical and organizational measures in accordance with the level of risk.
- Maintain evidence of compliance with the ENS, ISO/IEC 27001, GDPR, LOPDGDD and other applicable regulations.
- Subject its systems to periodic reviews and audits, internal and third-party.
6. Personal data protection
Personal data are processed only when they are adequate, relevant and not excessive for the legitimate purposes of the organization and its customers.
KUNAK TECHNOLOGIES S.L. applies appropriate technical and organizational measures to:
- Ensure a security level appropriate to the risk.
- Facilitate the exercise of data subject rights.
- Ensure the confidentiality, integrity and availability of personal data throughout their entire lifecycle.
7. Training, awareness and third parties
Information security is the responsibility of all persons participating in the activities of KUNAK TECHNOLOGIES S.L.
The organization:
- Provides periodic training and awareness in information security and data protection.
- Contractually requires suppliers and third parties that provide services or process information for KUNAK TECHNOLOGIES S.L. to comply with equivalent security requirements to its own.
- Establishes supervision and coordination mechanisms regarding security with such third parties.
8. Incident management and continuity
KUNAK TECHNOLOGIES S.L. has procedures for the detection, notification, analysis and response to information security incidents, as well as for the recovery of affected services.
The organization maintains backup, contingency and business continuity plans that allow essential services to be restored in the event of a serious failure or disaster, in accordance with the requirements agreed with customers and with the ENS.
9. Review and continuous improvement
This Information Security Policy shall be reviewed at least once a year, or when significant changes occur in the systems, services, applicable regulations or identified risks.
Management and the Information Security Committee promote the continuous improvement of the security management system, incorporating lessons learned from audits, reviews, risk analyses and incident management.